A measured look at real risks to school networks, with a level-headed approach.

INTERVIEW | by Victor Rivero

Technology keeps moving forward, with or without the general population being educated on specific advances. In a brave new world of cyber hacks and attacks, are campus networks somehow an easy target for malicious intruders? If so, what are the details, and why does it matter? And technologically speaking, can data science, machine learning, and behavioral analysis be applied to detect malicious behavior in a network? What if all detections could be correlated and prioritized to show an attack in context? Could this sort of ‘machine learning’ adapt as attacks evolve and make college and university network and IT officials have an easier time of it? We talked to a company well-versed in these

Unlike vendors that attempt to make every piece of malware sound like the end of the world, it is important to show IT security teams which threats actually pose the greatest risks to the university.

matters to find out more. Wade Williamson (pictured, above) of Vectra Networks, a cyber security company with an engineering team of data scientists, network security engineers and user interface designers that builds solutions to such questions every day, provides the responses.

Your company has worked with universities helping them with their BYOD challenges; what do you see are some of the greatest risks and challenges facing universities today, considering the number of students arriving to campus with 3 and even 4 devices a piece?

Wade: Universities have been grappling with BYOD long before the industry had a name for it. Although it’s not a new problem, the challenge is rapidly accelerating. The hyper-growth of smart devices, as well as the emergence of Internet-of-Things (IoT) devices, makes it impossible for security staff to secure every endpoint.

We work with universities to help tame this complexity with our ability to detect malicious behaviors on the network, regardless of what device or operating system generated the attack traffic. Instead of trying to herd a near infinite number of cats, Vectra gives IT teams a lingua franca that recognizes the unique behaviors of a threat that are common to all platforms.

Cyber security companies use scare tactics to drum up business. True statement? What are some anecdotes of real threats? What’s the nature of the threats to a higher education institution’s network? What sorts of situations are actually arising? What sort of statistics are available that highlight this area of risk?

Wade: Some security companies resort to using FUD (fear, uncertainly and doubt) to market their products, but that is certainly not true of all vendors. In fact, a good security company will never take this route because over-inflating a risk can make it harder to see real threats when they arise.

Unlike vendors that attempt to make every piece of malware sound like the end of the world, it is important to show IT security teams which threats actually pose the greatest risks to the university. For example, students on campus will always have devices infected with malware. What we do is distinguish between the opportunistic malware vs. the more targeted malware and attacks that seek to capture or destroy university data. Targeted cyber attacks are the ones that pose the biggest risk to the institution.

It’s also important to recognize that large-scale attacks and breaches are rising in a very quantifiable and measureable way. Legislation requires that many types of breaches must be reported, and a simple analysis of these records show that breaches are indeed accelerating.

As an example, Vectra’s recent Post-Intrusion Report provides additional insight into what is going on in higher education networks. Based on an analysis of Vectra customers and prospects, we identified malicious lateral movement inside networks as the most common behavior in higher education and K-12.

Lateral movement occurs when attackers move deeper into a network after an initial infection. It happens when attackers either spread malware to other devices in the network or steal a victim’s username and password to log into protected resources. This malicious behavior is common in higher education networks because they offer a very broad attack surface that gives attackers ample opportunities to get inside.

What problems are campus IT officials focused on these days? How are you making their job easier?

Wade: IT security teams in higher education are simply overwhelmed. They have large, extended campuses with many users, high value data, and of course a constant barrage of new threats. The common complaint we hear is that there just isn’t enough time in the day to detect or mitigate cyber threats that evade perimeter security and spread inside networks.

IT security teams in higher education are simply overwhelmed. They have large, extended campuses with many users, high value data, and of course a constant barrage of new threats.

Some security products can actually drain IT security teams and resources because they are complex and require a significant amount of time, analysis, and continuous tuning to maximize their full value.

Vectra turns that model on its head by automating the intensive work of investigating and analyzing active cyber attacks. Instead of hours and days of specialized analysis, Vectra does the heavy lifting and gives direction so that anyone on the IT security team can take quick action to mitigate these attacks and prevent them from spreading.

Corporate vs. higher education: Hackers exist, if higher education perimeters are weaker, is there a trend toward hackers targeting higher education institutions vs. more robust corporate networks? Who are the hackers – US students, foreign criminals from the same familiar pockets?

Wade: Higher education faces every type of attacker there is. I would definitely not point to any one culprit group or region. Higher education obviously has research facilities with highly sensitive data as well as private FERPA-regulated personal data that attract sophisticated cyber attackers and even nation-state-backed attackers.

Embracing a large, open and collaborative environment also means campuses face large botnets and malicious campaigns driven by organized crime. It’s also important to remember that universities have a young, curious and sophisticated population of students that might attempt to hack the network just to see if it’s possible. Because of all this, yes, I believe there is a trend of targeting higher education networks.

Your literature talks about stopping targeted attacks in progress. What does that mean? What’s going on?

Wade: The vast majority of network security focuses on identifying and stopping the initial infection, such as someone opening a piece of malware or being exploited at a malicious site. However, an infection is typically an opening gambit to a much larger attack.

Once cyber attackers infect a laptop, they will find the location of key assets and move deeper into the network. It’s common for attackers to covertly coordinate multiple steps along the way as they move deeper into the network and ultimately steal or destroy data.

Vectra focuses on detecting and mitigating the ongoing phases of an active cyber attack before very serious damage is done. Think of it as a physical immune response. You have skin and a variety of barriers to keep germs on the outside, but like the immune system, we are always searching out any bad things that make it inside. To sum it up, Vectra makes make threat management as easy as possible for IT security teams, but as complicated as possible for cyber attackers.

Seems illogical. How can a security system be easy for a user, but hard for an attacker?

Wade: It’s really about tilting the asymmetry of security in the favor of IT. By asymmetry I mean that today, hackers have a near-infinite number of opportunities to launch an attack and they only have to win once. There are many devices and many vulnerabilities, and they will wait patiently to find an opening. Once inside the network, cyber attackers are free to spy, spread and steal, undetected.

Vectra inverts that dynamic by constantly looking for all the behaviors that attackers must perform inside a network in order to succeed. Instead of putting our security eggs in one basket, Vectra has dozens and dozens of ways to reveal attackers throughout the long process of the intrusion. We turn the table on sophisticated attackers by creating many opportunities to catch them and now we only need to win once.

Privacy is very important in academic environments, and it seems like security is often at odds with privacy. Is this a fundamental trade-off or are there ways to provide security while protecting privacy and academic freedom?

Wade: Privacy is a big challenge that’s especially common in higher education, financial institutions, insurance and healthcare. With the rise of web applications that use SSL by default, more and more network traffic is encrypted. While encrypted traffic can provide some protection for the end-user, it also hides the content from security and consequently provides a hidden avenue for cyber threats. Some networks rely on SSL decryption to solve this problem, but it comes with performance penalties, technical challenges, and legal issues, especially where academic freedom is a top concern.

In our case, we give IT security teams a new and better option that protects data without prying. One of the things that makes our approach unique is that we do not dig into the contents of a conversation looking for a malicious payload.

Instead, Vectra uses mathematical models and algorithmic traffic analysis to reveal the underlying behaviors of attackers. In short, we care less about what the traffic is carrying and instead identify what the traffic is doing.

The major benefit of this approach is that our unique algorithms identify what the traffic is doing, even when the traffic is encrypted. For example, we can tell when a bot is impersonating a user and when a connection is remotely controlled by an outside attacker without decrypting traffic. This enables universities to concurrently embrace both security and privacy.